SonarQube Remediation Agent

The SonarQube Remediation Agent runs an independent review and analysis to help you fix reliability and maintainability issues found in your latest code. It focuses on new issues discovered in your latest GitHub pull request (PR). These issues, picked up by the agent, would otherwise break the new code conditions of your quality gate and block the merge of your PR.

The agent uses OpenAI's GPT-5.1 LLM to generate fix suggestions in the background and checks that the new code does not introduce new issues before offering the suggestion.

The SonarQube Remediation Agent is only triggered by a Pull request analysis and does not engage with your branch analysis. See the Quality gate and metrics article to learn more about how the quality gate is computed on during a PR analysis.

Requirements and limitations

The SonarQube Remediation Agent, when enabled, runs in your PR on private projects in GitHub.

You must have either Automatic analysis enabled or be running a CI-based analysis on your GitHub repository.

The agent can suggest code fixes on your pull request for maintainability, reliability, and a select set of security issues found in Java, JavaScript/TypeScript, and Python code; the agent can also suggest fixes for Secrets detected in your code.

For a full list of supported rules, open the expandable below with your selected language:

Limits are placed on the agent’s activity to avoid noise in the comment history of your GitHub pull request. Currently, the limit is 50 issues; if more than 50 issues are introduced in your PR, the agent will not be triggered.

Subscription

The SonarQube Remediation Agent is a Beta feature available with Enterprise plan accounts. It is free during the beta phase and will be a paid feature when it moves to General availability (GA).

If your SonarQube Cloud organization is not on an Enterprise plan, please see the Getting started with Enterprise pages to get the process started. To learn more about the terms & conditions for Beta, please see our legal page about features in Early Access.

Sharing your code with Sonar

If you use the SonarQube Remediation Agent, the affected code snippet will be sent by the agent to an LLM to generate a fix suggestion. These suggestions are verified by Sonar before being offered as an issue fix. Service agreements with Sonar’s LLMs prevent your code from being used to train those models and it is not stored by the LLM provider nor by any third party.

For details about terms and conditions, please refer to the Early Access terms in our Legal Documentation.

Enable your agent

A SonarQube Cloud organization admin and an administrator for your GitHub account are needed to set up Sonar's AI Agent for automated developer workflows:

1. If you haven't already, follow the instructions about Activating automatic analysis or enabling a CI-based analysis on your project hosted in a GitHub repository.

2. Navigate to Your SonarQube Cloud Organization > Administration > AI capabilities > AI agent.

3. A GitHub administrator needs to install the SonarQube Agent GitHub app. Under Install app, select GitHub. The administrator will be prompted to install the app on the GitHub organization already linked to your SonarQube Cloud organization. If installed, the agent will be granted:

   • Read and write access to code and pull requests,

   • And Read-only access to issues and metadata.

4. Choose either All repositories or Only select repositories to control which repositories the AI agent can access. Once you've made your selection, select Install & Authorize to finish the setup. Please note that the installation may take a few seconds to complete.

5. After all the steps are successfully finished, the Enable agent > Remediation agent option will be automatically selected in SonarQube Cloud, and you will be able to commit the agent’s suggestions directly from your PRs.

Manage agent access

The SonarQube Remediation agent only has access to the repositories you define. To change repository access, a GitHub administrator who is also a SonarCloud Administrator can navigate in SonarQube Cloud to Your Organization > Administration > AI capabilities > AI agent. Under Install app, select Manage Permissions which takes you to your GitHub Apps page.

Alternatively, a GitHub administrator can navigate in GitHub to Your GitHub Organization > Settings > Third-party Access > GitHub Apps. Under Installed GitHub Apps > SonarQube Agent, select Configure.

• In GitHub, under SonarQube Agent > Repository access, add or remove your repositories from the list. When finished, select Save to confirm your selection.

Disable or suspend agent access

It is possible to disable the SonarQube Remediation agent in SonarQube Cloud or in GitHub, if you prefer.

A SonarCloud Administrator can navigate to Your Organization > Administration > AI capabilities > AI agent > Enable agent and unselect Remediation agent. Once Save is selected, the agent will no longer be triggered in GitHub.

To suspend or uninstall SonarQube Agent completely, navigate in GitHub to Your GitHub Organization > Third-party Access > GitHub Apps > SonarQube Agent > Danger zone and select Suspend or Uninstall.

• Suspend will block the agent’s access to your repositories. Choosing this option is the easiest way to restart the agent, when you're ready.

• If you select and confirm Uninstall, the SonarQube Agent will be removed from all of your repositories and from your SonarQube Cloud Organization. The agent's activity will be remain in your PR history but if you want to use the agent again, you must return to the beginning to Enable your agent.

Agent behavior

The SonarQube Remediation agent's behavior is described on the Agents in your GitHub pull request page, along side other topics about Managing code issues in SonarQube Cloud.